HTDB : Docs : Designer's Guide : C-Functions : Cryptography
About
Overview
Philosophy
Features
News
Download
Help Us!

Docs
Overview
Designers
Language
Environment
C-Functions
Crypto
Date/Time
Numeric
Strings
HTML
HTDB
SQL
Debugging
System
User/Session
Credit Card
Misc.
S-Functions
Developers
Roadmap
Architecture

Community
Powered By

[home]
class: Cryptography

HTDB supports the encryption and decryption of strings. The underlying routines are based upon the RC4 encryption algorithms (although we are close to allowing arbitrary encryption using the libmcrypt library). Encrypted strings are filtered through a modified base64 encoding so as to make the results usable in URLs and GET/POST results.

Typically, encryption is used to mask GET arguments; the script writer encrypts name value pairs which, when included in hyperlink or GET/POST forms, are transparently decrypted by the system on the receiving web page.

There are 3 "classes" of encryption which differ only by the key used in encryption. The three classes are described below. These classes may be extended by a knowledgeable programmer.

note: this code is derived from the (now public-domain) RC4 algos and are made web-usable via modified base64 encoding code, originally released under the Mozilla Public License.


base

This "base" key should only be used internally for "bootstrapping" purposes. These routines are used when decrypting values that are contained in HTDB configuration files and session cookies. This will keep the casual curious from readily observing configuration parameters, such as database passwords and the like. The base encryption routines should remain private - not used for web name/value encryption.
${be1(string)}

input

${be1(hello world)}
yields|be1|2PGeu5Pu3ARKJ3o  


${be1(encrypted_string)}

input

${be1(|be1|2PGeu5Pu3ARKJ3o)}
yieldshello world  

session

If HTDB is configured to have web session tracking enabled, the session_id will be used as part of the encryption/decryption key.

What this does is enable extremely secure access to web pages - such pages are only accessible from the computer that originated the page request. In otherwords, URLs with GET parameters can be freely observed, but the destination page will only decrypt properly for a single computer.


${se1(string)}

input

${se1(hello world)}
yields|se1|vNKuJyN8soMAIPM  


${se1(encrypted_string)}

input

${se1(|se1|vNKuJyN8soMAIPM)}
yieldshello world  

public

"Public" means public is the sense that URLs containing these encrypted GET arguments are intended for public consumption.

The key used is specified in the site-specific HTDB configuration file.


${pe1(string)}

input

${pe1(hello world)}
yields|pe1|bG12HaWlYmZqMpA  


${pe1(encrypted_string)}

input

${pe1(|pe1|bG12HaWlYmZqMpA)}
yieldshello world  


${encrypt(string)}

input

${encrypt(hello world)}
yields|pe1|bG12HaWlYmZqMpA  
notes the encrypt function is provided as a convenient synonym for pe1

   
8,823 impressions